Re: [VOTE] Release Apache Tomcat 9.0.0.M27

2017-09-19 Thread Huxing Zhang
Hi, here is my test result,  although the vote has finished:

The proposed 9.0.0.M27 release is:
[ ] Broken - do not release
[ X ] Alpha - go ahead and release as 9.0.0.M27

Unit test passed.
Our web application works fine.
--
Mark Thomas 
2017 Sep 14 (Thu) 02:49
Tomcat Developers List 
[VOTE] Release Apache Tomcat 9.0.0.M27


The proposed Apache Tomcat 9.0.0.M27 release is now available for voting.

This is a milestone release for the 9.0.x branch. It should be
noted that, as a milestone release:
- Servlet 4.0 is not finalised
- It is not known if there will be a minor maintenance release for
  JSP 2.4, EL 3.1 or WebSocket 1.2

The major changes compared to the 9.0.0.M26 release are:

- Additional capabilities for the CGI Servlet. Based on patches provided
  by jm009.

- Added support for the OpenSSL SSL_CONF API. To support this the
  minimum required Tomcat Native version is 1.2.14.

Along with lots of other bug fixes and improvements.


For full details, see the changelog:
http://svn.apache.org/repos/asf/tomcat/trunk/webapps/docs/changelog.xml

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.0.M27/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1152/
The svn tag is:
http://svn.apache.org/repos/asf/tomcat/tags/TOMCAT_9_0_0_M27/

The proposed 9.0.0.M27 release is:
[ ] Broken - do not release
[ ] Alpha - go ahead and release as 9.0.0.M27

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r21712 - /dev/tomcat/tomcat-8/v8.5.21/ /release/tomcat/tomcat-8/v8.5.21/

2017-09-19 Thread markt
Author: markt
Date: Tue Sep 19 20:29:38 2017
New Revision: 21712

Log:
Release Apache Tomcat 8.5.21

Added:
release/tomcat/tomcat-8/v8.5.21/
  - copied from r21711, dev/tomcat/tomcat-8/v8.5.21/
Removed:
dev/tomcat/tomcat-8/v8.5.21/


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[RESULT][VOTE] Release Apache Tomcat 8.5.21

2017-09-19 Thread Mark Thomas
The following voters were cast:

Binding:
+1: rjung, markt, fschumacher, mgrigorov, csutherl, violetagg

Non-binding:
+1: ebourg

The vote therefore passes.

Thank you to everyone who contributed to this release.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Release Apache Tomcat 9.0.0.M27

2017-09-19 Thread Violeta Georgieva
2017-09-13 21:49 GMT+03:00 Mark Thomas :
>
> The proposed Apache Tomcat 9.0.0.M27 release is now available for voting.
>
> This is a milestone release for the 9.0.x branch. It should be
> noted that, as a milestone release:
> - Servlet 4.0 is not finalised
> - It is not known if there will be a minor maintenance release for
>   JSP 2.4, EL 3.1 or WebSocket 1.2
>
> The major changes compared to the 9.0.0.M26 release are:
>
> - Additional capabilities for the CGI Servlet. Based on patches provided
>   by jm009.
>
> - Added support for the OpenSSL SSL_CONF API. To support this the
>   minimum required Tomcat Native version is 1.2.14.
>
> Along with lots of other bug fixes and improvements.
>
>
> For full details, see the changelog:
> http://svn.apache.org/repos/asf/tomcat/trunk/webapps/docs/changelog.xml
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.0.M27/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1152/
> The svn tag is:
> http://svn.apache.org/repos/asf/tomcat/tags/TOMCAT_9_0_0_M27/
>
> The proposed 9.0.0.M27 release is:
> [ ] Broken - do not release
> [X] Alpha - go ahead and release as 9.0.0.M27


Regards,
Violeta


[RESULT][VOTE] Release Apache Tomcat 9.0.0.M27

2017-09-19 Thread Mark Thomas
The following votes were cast:

Binding:
+1: markt, rjung, fschumacher, mgrigorov, violetagg

No other voters were cast.

The vote therefore passes.

Thank you to everyone who contributed to this release.


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



svn commit: r21710 - /dev/tomcat/tomcat-6/

2017-09-19 Thread markt
Author: markt
Date: Tue Sep 19 20:28:21 2017
New Revision: 21710

Log:
Tomcat 6 has reached end of life

Removed:
dev/tomcat/tomcat-6/


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



svn commit: r21711 - /dev/tomcat/tomcat-9/v9.0.0.M27/ /release/tomcat/tomcat-9/v9.0.0.M27/

2017-09-19 Thread markt
Author: markt
Date: Tue Sep 19 20:29:09 2017
New Revision: 21711

Log:
Release Apache Tomcat 9.0.0.M27

Added:
release/tomcat/tomcat-9/v9.0.0.M27/
  - copied from r21710, dev/tomcat/tomcat-9/v9.0.0.M27/
Removed:
dev/tomcat/tomcat-9/v9.0.0.M27/


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: Draft EOL announcement for Tomcat Native 1.1.x

2017-09-19 Thread Mark Thomas
Updated with Konstantin's feedback.

Further comments, feedback etc welcome.



The Apache Tomcat Team announces that support for Apache Tomcat Native
1.1.x will end on 30 September 2018.

This means that after 30 September 2018:
- releases from the 1.1.x branch are highly unlikely
- bugs affecting only the 1.1.x branch will not be addressed
- security vulnerability reports will not be checked against the 1.1.x
  branch
- Apache Tomcat releases of 7.0.x after this date may require 1.2.x as a
  minimum

Three months later (i.e. after 31 December 2018)
- the 1.1.x download pages will be removed
- the latest 1.1.x release will be removed from the mirror system
- the links to the 1.1.x documentation will be removed from
  tomcat.apache.org

The latest binary releases of 1.1.x for Windows are not built with a
current version of OpenSSL and will therefore be removed from the
download pages with immediate effect.

Please also note the following additional information:

Tomcat 8.5.x and 9.0.x require a minimum of Tomcat Native 1.2.x and are
therefore unaffected by this notice.

Tomcat 8.0.x will reach end of life on 30 June 2018 and is therefore
unaffected by this notice.

Only Tomcat 7.0.x is affected by this notice.

Tomcat 7.0.x has shipped with Tomcat Native 1.2.x since 7.0.70 (June 2016).

All 1.1.x releases will always be available from the archive.

Tomcat Native 1.2.x is a drop-in replacement for 1.1.x although it does
require OpenSSL 1.0.2 as a minimum.

All Tomcat Native releases from 1.1.34 onwards have indicated that users
should use 1.2.x in preference to 1.1.x.

The most recent release of 1.1.x (1.1.34) was released in December 2015.
It is likely that 1.1.34 will be the final 1.1.x release unless a
security vulnerability is discovered in 1.1.x that cannot be worked
around without a new release.

-- 
The Apache Tomcat Team


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-19 Thread Mark Thomas
CVE-2017-7674 Apache Tomcat Remote Code Execution via JSP Upload

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 7.0.0 to 7.0.79

Description:
When running on Windows with HTTP PUTs enabled (e.g. via setting the
readonly initialisation parameter of the Default to false) it was
possible to upload a JSP file to the server via a specially crafted
request. This JSP could then be requested and any code it contained
would be executed by the server.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released)

Credit:
This issue was reported responsibly to the Apache Tomcat Security Team
by iswin from 360-sg-lab (360观星实验室)

History:
2017-09-19 Original advisory

References:
[1] http://tomcat.apache.org/security-7.html

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[SECURITY] CVE-2017-12616 Apache Tomcat Information Disclosure

2017-09-19 Thread Mark Thomas
CVE-2017-7674 Apache Tomcat Information Disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 7.0.0 to 7.0.80

Description:
When using a VirtualDirContext it was possible to bypass security
constraints and/or view the source code of JSPs for resources served by
the VirtualDirContext using a specially crafted request.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 7.0.81

Credit:
This issue was identified by the Tomcat Security Team while
investigating CVE-2017-12615.

History:
2017-09-19 Original advisory

References:
[1] http://tomcat.apache.org/security-7.html

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Re: [VOTE] Release Apache Tomcat 8.5.21

2017-09-19 Thread Coty Sutherland
On Wed, Sep 13, 2017 at 5:02 PM, Mark Thomas  wrote:
> The proposed Apache Tomcat 8.5.21 release is now available for voting.
>
> The major changes compared to the 8.5.20 release are:
>
> - Additional capabilities for the CGI Servlet. Based on patches provided
>   by jm009.
>
> - Added support for the OpenSSL SSL_CONF API. To support this the
>   minimum required Tomcat Native version is 1.2.14.
>
> Along with lots of other bug fixes and improvements.
>
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.21/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1153/
> The svn tag is:
> http://svn.apache.org/repos/asf/tomcat/tc8.5.x/tags/TOMCAT_8_5_21/
>
> The proposed 8.5.21 release is:
> [ ] Broken - do not release
> [x] Stable - go ahead and release as 8.5.21

+1

> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



svn propchange: r1804604 - svn:log

2017-09-19 Thread markt
Author: markt
Revision: 1804604
Modified property: svn:log

Modified: svn:log at Tue Sep 19 11:01:02 2017
--
--- svn:log (original)
+++ svn:log Tue Sep 19 11:01:02 2017
@@ -3,3 +3,5 @@ Code clean-up
 - Correct indent
 - Consistent use of file()
 - Add {} to improve readability
+
+This is part of the fix for CVE-2017-12615


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



svn propchange: r1804729 - svn:log

2017-09-19 Thread markt
Author: markt
Revision: 1804729
Modified property: svn:log

Modified: svn:log at Tue Sep 19 11:01:39 2017
--
--- svn:log (original)
+++ svn:log Tue Sep 19 11:01:39 2017
@@ -1 +1,4 @@
 Correct regression in r1804604 that broke WebDAV.
+
+This is part of the fix for CVE-2017-12615
+This is the fix for CVE-2017-12616


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



svn commit: r1808857 - in /tomcat/site/trunk: docs/security-7.html xdocs/security-7.xml

2017-09-19 Thread markt
Author: markt
Date: Tue Sep 19 10:57:45 2017
New Revision: 1808857

URL: http://svn.apache.org/viewvc?rev=1808857=rev
Log:
Add details for CVE-2017-12615 and CVE-2017-12616

Modified:
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/xdocs/security-7.xml

Modified: tomcat/site/trunk/docs/security-7.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1808857=1808856=1808857=diff
==
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Tue Sep 19 10:57:45 2017
@@ -218,6 +218,9 @@
 Apache Tomcat 7.x 
vulnerabilities
 
 
+Fixed in Apache Tomcat 7.0.81
+
+
 Fixed in Apache Tomcat 7.0.79
 
 
@@ -377,6 +380,67 @@
 
   
 
+
+16 August 2017 Fixed in Apache Tomcat 
7.0.81
+
+
+
+
+Important: Information Disclosure
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12616; 
rel="nofollow">CVE-2017-12616
+
+
+
+When using a VirtualDirContext it was possible to bypass security
+   constraints and/or view the source code of JSPs for resources served by
+   the VirtualDirContext using a specially crafted request.
+
+
+This was fixed in revision http://svn.apache.org/viewvc?view=revrev=1804729;>1804729.
+
+
+This issue was identified by the Tomcat Security Team on 10 August 2017
+   and made public on 19 September 2017.
+
+
+Affects: 7.0.0 to 7.0.80
+
+
+
+Important: Remote Code Execution
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12615; 
rel="nofollow">CVE-2017-12615
+
+
+
+
+Note: The issue below was fixed in Apache Tomcat 7.0.80 but the
+   release vote for the 7.0.81 release candidate did not pass. Therefore,
+   although users must download 7.0.81 to obtain a version that includes
+   the fix for this issue, version 7.0.80 is not included in the list of
+   affected versions.
+
+
+
+When running on Windows with HTTP PUTs enabled (e.g. via setting the
+   readonly initialisation parameter of the Default to false)
+   it was possible to upload a JSP file to the server via a specially
+   crafted request. This JSP could then be requested and any code it
+   contained would be executed by the server.
+
+
+This was fixed in revisions http://svn.apache.org/viewvc?view=revrev=1804604;>1804604 and
+   http://svn.apache.org/viewvc?view=revrev=1804729;>1804729.
+
+
+This issue was reported responsibly to the Apache Tomcat Security Team by
+   iswin from 360-sg-lab (360观星实验室) on 26 July 2017 and made 
public on 19
+   September 2017.
+
+
+Affects: 7.0.0 to 7.0.79
+
+  
+
 
 1 July 2017 Fixed in Apache Tomcat 
7.0.79
 

Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1808857=1808856=1808857=diff
==
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Tue Sep 19 10:57:45 2017
@@ -50,6 +50,48 @@
 
   
 
+  
+
+Important: Information Disclosure
+   CVE-2017-12616
+
+When using a VirtualDirContext it was possible to bypass security
+   constraints and/or view the source code of JSPs for resources served by
+   the VirtualDirContext using a specially crafted request.
+
+This was fixed in revision 1804729.
+
+This issue was identified by the Tomcat Security Team on 10 August 2017
+   and made public on 19 September 2017.
+
+Affects: 7.0.0 to 7.0.80
+
+Important: Remote Code Execution
+   CVE-2017-12615
+
+Note: The issue below was fixed in Apache Tomcat 7.0.80 but the
+   release vote for the 7.0.81 release candidate did not pass. Therefore,
+   although users must download 7.0.81 to obtain a version that includes
+   the fix for this issue, version 7.0.80 is not included in the list of
+   affected versions.
+
+When running on Windows with HTTP PUTs enabled (e.g. via setting the
+   readonly initialisation parameter of the Default to false)
+   it was possible to upload a JSP file to the server via a specially
+   crafted request. This JSP could then be requested and any code it
+   contained would be executed by the server.
+
+This was fixed in revisions 1804604 and
+   1804729.
+
+This issue was reported responsibly to the Apache Tomcat Security Team 
by
+   iswin from 360-sg-lab (360观星实验室) on 26 July 2017 and made 
public on 19
+   September 2017.
+
+Affects: 7.0.0 to 7.0.79
+
+  
+
   
 
 Moderate: Cache Poisoning



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[CORRECTION][SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-19 Thread Mark Thomas
The body of the original advisory referred to CVE-2017-7674. This was
incorrect. It was a copy and paste error from a previous Tomcat advisory.

The correct CVE reference is CVE-2017-12615, as per the subject line.


On 19/09/17 11:58, Mark Thomas wrote:
> CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP Upload
> 
> Severity: Important
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected:
> Apache Tomcat 7.0.0 to 7.0.79
> 
> Description:
> When running on Windows with HTTP PUTs enabled (e.g. via setting the
> readonly initialisation parameter of the Default to false) it was
> possible to upload a JSP file to the server via a specially crafted
> request. This JSP could then be requested and any code it contained
> would be executed by the server.
> 
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released)
> 
> Credit:
> This issue was reported responsibly to the Apache Tomcat Security Team
> by iswin from 360-sg-lab (360观星实验室)
> 
> History:
> 2017-09-19 Original advisory
> 
> References:
> [1] http://tomcat.apache.org/security-7.html
> 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[CORRECTION][SECURITY] CVE-2017-12616 Apache Tomcat Information Disclosure

2017-09-19 Thread Mark Thomas
The body of the original advisory referred to CVE-2017-7674. This was
incorrect. It was a copy and paste error from a previous Tomcat advisory.

The correct CVE reference is CVE-2017-12616, as per the subject line.

On 19/09/17 11:58, Mark Thomas wrote:
> CVE-2017-7674 Apache Tomcat Information Disclosure
> 
> Severity: Important
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected:
> Apache Tomcat 7.0.0 to 7.0.80
> 
> Description:
> When using a VirtualDirContext it was possible to bypass security
> constraints and/or view the source code of JSPs for resources served by
> the VirtualDirContext using a specially crafted request.
> 
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 7.0.81
> 
> Credit:
> This issue was identified by the Tomcat Security Team while
> investigating CVE-2017-12615.
> 
> History:
> 2017-09-19 Original advisory
> 
> References:
> [1] http://tomcat.apache.org/security-7.html
> 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



Tagging Tomcat 7/8.0

2017-09-19 Thread Violeta Georgieva
Hi,

I'm planning to start preparing Tomcat 7/8.0 for a release later today.
If you would like to include something in addition, please reply here.

Regards,
Violeta


svn commit: r1808880 - in /tomcat/tc8.5.x/trunk: java/org/apache/tomcat/util/http/ServerCookies.java webapps/docs/changelog.xml

2017-09-19 Thread csutherl
Author: csutherl
Date: Tue Sep 19 14:07:02 2017
New Revision: 1808880

URL: http://svn.apache.org/viewvc?rev=1808880=rev
Log:
Update fix for bug 59904 so that values less than zero are accepted instead of 
throwing a NegativeArraySizeException.

Modified:
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/ServerCookies.java
tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml

Modified: 
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/ServerCookies.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/ServerCookies.java?rev=1808880=1808879=1808880=diff
==
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/ServerCookies.java 
(original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/ServerCookies.java 
Tue Sep 19 14:07:02 2017
@@ -49,7 +49,7 @@ public class ServerCookies {
 }
 
 if (cookieCount >= serverCookies.length) {
-int newSize = Math.min(2*cookieCount, limit);
+int newSize = limit > -1 ? Math.min(2*cookieCount, limit) : 
2*cookieCount;
 ServerCookie scookiesTmp[] = new ServerCookie[newSize];
 System.arraycopy(serverCookies, 0, scookiesTmp, 0, cookieCount);
 serverCookies = scookiesTmp;

Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1808880=1808879=1808880=diff
==
--- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Tue Sep 19 14:07:02 2017
@@ -59,6 +59,14 @@
   
 
   
+  
+
+  
+Update fix for 59904 so that values less than zero are 
accepted
+instead of throwing a NegativeArraySizeException. (remm)
+  
+
+  
 
 
   



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



svn commit: r1808881 - in /tomcat/trunk: ./ java/org/apache/tomcat/util/http/ServerCookies.java webapps/docs/changelog.xml

2017-09-19 Thread csutherl
Author: csutherl
Date: Tue Sep 19 14:10:12 2017
New Revision: 1808881

URL: http://svn.apache.org/viewvc?rev=1808881=rev
Log:
Cherry-pick r1808880 from 8.5.x/trunk

Modified:
tomcat/trunk/   (props changed)
tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookies.java
tomcat/trunk/webapps/docs/changelog.xml   (contents, props changed)

Propchange: tomcat/trunk/
--
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue Sep 19 14:10:12 2017
@@ -1 +1 @@
-/tomcat/tc8.5.x/trunk:1802799
+/tomcat/tc8.5.x/trunk:1802799,1808880

Modified: tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookies.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookies.java?rev=1808881=1808880=1808881=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookies.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookies.java Tue Sep 19 
14:10:12 2017
@@ -49,7 +49,7 @@ public class ServerCookies {
 }
 
 if (cookieCount >= serverCookies.length) {
-int newSize = Math.min(2*cookieCount, limit);
+int newSize = limit > -1 ? Math.min(2*cookieCount, limit) : 
2*cookieCount;
 ServerCookie scookiesTmp[] = new ServerCookie[newSize];
 System.arraycopy(serverCookies, 0, scookiesTmp, 0, cookieCount);
 serverCookies = scookiesTmp;

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1808881=1808880=1808881=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Sep 19 14:10:12 2017
@@ -74,6 +74,14 @@
   
 
   
+  
+
+  
+Update fix for 59904 so that values less than zero are 
accepted
+instead of throwing a NegativeArraySizeException. (remm)
+  
+
+  
 
 
   

Propchange: tomcat/trunk/webapps/docs/changelog.xml
--
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue Sep 19 14:10:12 2017
@@ -1 +1 @@
-/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml:1781934
+/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml:1781934,1808880



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



svn commit: r1808887 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/tomcat/util/http/Cookies.java webapps/docs/changelog.xml

2017-09-19 Thread csutherl
Author: csutherl
Date: Tue Sep 19 14:22:06 2017
New Revision: 1808887

URL: http://svn.apache.org/viewvc?rev=1808887=rev
Log:
Update fix for bug 59904 so that values less than zero are accepted instead of 
throwing a NegativeArraySizeException.

Modified:
tomcat/tc7.0.x/trunk/   (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc7.0.x/trunk/
--
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue Sep 19 14:22:06 2017
@@ -1,3 +1,3 @@
-/tomcat/tc8.0.x/trunk:1636525,1637336,1637685,1637709,1638726,1640089,1640276,1640349,1640363,1640366,1640642,1640672,1640674,1640689,1640884,1641001,1641065,1641067,1641375,1641638,1641723,1641726,1641729-1641730,1641736,1641988,1642669-1642670,1642698,1642701,1643205,1643215,1643217,1643230,1643232,1643273,1643285,1643329-1643330,1643511,1643513,1643521,1643539,1643571,1643581-1643582,1643635,1643655,1643738,1643964,1644018,1644333,1644525,1644954,1644992,1645014,1645360,1645456,1645627,1645642,1645686,1645903-1645904,1645908-1645909,1645913,1645920,1646458,1646460-1646462,1646735,1646738-1646741,1646744,1646746,1646748-1646755,1646757,1646759-1646760,1647043,1648816,1651420-1651422,1651844,1652926,1652939-1652940,1652973,1653798,1653817,1653841,1654042,1654161,1654736,1654767,1654787,1656592,1659907,1662986,1663265,1663278,1663325,1663535,1663567,1663679,1663997,1664175,1664321,1664872,1665061,1665086,1666027,1666395,1666503,1666506,1666560,1666570,1666581,1666759,1666967,1666988
 
,1667553-1667555,1667558,1667617,1667633,1667637,1667747,1667767,1667873,1668028,1668137,1668634,1669432,1669801,1669840,1669895-1669896,1670398,1670435,1670592,1670605-1670607,1670609,1670632,1670720,1670725,1670727,1670731,1671114,1672273,1672285,1673759,1674220,1674295,1675469,1675488,1675595,1675831,1676232,1676367-1676369,1676382,1676394,1676483,1676556,1676635,1678178,1679536,1679988,1680256,1681124,1681182,1681703,1681730,1681840,1681864,1681869,1682010,1682034,1682047,1682052-1682053,1682062,1682064,1682070,1682312,1682325,1682331,1682386,1684367,1684385,1685759,1685774,1685827,1685892,1687341,1688904,1689358,1689657,1689921,1692850,1693093,1693108,1693324,1694060,1694115,1694291,1694427,1694431,1694503,1694549,1694789,1694873,1694881,1695356,1695372,1695823-1695825,1696200,1696281,1696379,1696468,1700608,1700871,1700897,1700978,1701094,1701124,1701608,1701668,1701676,1701766,1701944,1702248,1702252,1702314,1702390,1702723,1702725,1702728,1702730,1702733,1702735,1702737,1702
 
739,1702742,1702744,1702748,1702751,1702754,1702758,1702760,1702763,1702766,1708779,1708782,1708806,1709314,1709670,1710347,1710442,1710448,1710490,1710574,1710578,1712226,1712229,1712235,1712255,1712618,1712649,1712655,1712860,1712899,1712903,1712906,1712913,1712926,1712975,1713185,1713262,1713287,1713613,1713621,1713872,1713976,1713994,1713998,1714004,1714013,1714059,1714538,1714580,1715189,1715207,1715544,1715549,1715637,1715639-1715645,1715667,1715683,1715866,1715978,1715981,1716216-1716217,1716355,1716414,1716421,1717208-1717209,1717257,1717283,1717288,1717291,1717421,1717517,1717529,1718797,1718840-1718843,1719348,1719357-1719358,1719400,1719491,1719737,1720235,1720396,1720442,1720446,1720450,1720463,1720658-1720660,1720756,1720816,1721813,1721818,1721831,1721861,1721867,1721882,1722523,1722527,1722800,1722926,1722941,1722997,1723130,1723440,1723488,1723890,1724434,1724674,1724792,1724803,1724902,1725128,1725131,1725154,1725167,1725911,1725921,1725929,1725963-1725965,1725970,1
 
725974,1726171-1726173,1726175,1726179-1726182,1726190-1726191,1726195-1726200,1726203,1726226,1726576,1726630,1726992,1727029,1727037,1727671,1727676,1727900,1728028,1728092,1728439,1728449,1729186,1729362,1731009,1731303,1731867,1731872,1731874,1731876,1731885,1731947,1731955,1731959,1731977,1731984,1732360,1732490,1732672,1732902,1733166,1733603,1733619,1733735,1733752,1733764,1733915,1733941,1733964,1734115,1734133,1734261,1734421,1734531,1736286,1737967,1738173,1738182,1738992,1739039,1739089-1739091,1739294,1739777,1739821,1739981,1740513,1740726,1741019,1741162,1741217,1743647,1743681,1744152,1744272,1746732,1746750,1752739,1754615,1755886,1756018,1759565,1761686,1762173,1762206,1766280,1767507-1767508,1767653,1767656,1769267,1772949,1773521,1773527,1774104,1777015,1777213,1779330,1783151,1784188,1784966,1785670,1786846,1788260,1788999,1789140,1789402,1791529,1791559,1795291,1796906,1797523,1799214,1800998-1800999,1801003,1801007-1801008,1801017,1801020,1802808,1802814,180361
 8,1806107,1806733,1807082-1807083,1808707

svn commit: r1808884 - in /tomcat/tc8.0.x/trunk: ./ java/org/apache/tomcat/util/http/ServerCookies.java webapps/docs/changelog.xml

2017-09-19 Thread csutherl
Author: csutherl
Date: Tue Sep 19 14:17:12 2017
New Revision: 1808884

URL: http://svn.apache.org/viewvc?rev=1808884=rev
Log:
Update fix for bug 59904 so that values less than zero are accepted instead of 
throwing a NegativeArraySizeException.

Modified:
tomcat/tc8.0.x/trunk/   (props changed)
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/http/ServerCookies.java
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc8.0.x/trunk/
--
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue Sep 19 14:17:12 2017
@@ -1,2 +1,2 @@
-/tomcat/tc8.5.x/trunk:1735042,1737966,1743139-1743140,1744151,1747537,1747925,1748002,1754614,1754643,1762124,1762183,1762203,1763792,1772948,1777014,1779719,1782037,1782240,1782386-1782387,1785669,1786845,1788249,1788324,1788905,1789216,1789335,1791528,1791558,1796697-1796698,1797521,1798543,1799162,1800143,1801693,1802805,1806799,1807079-1807080
+/tomcat/tc8.5.x/trunk:1735042,1737966,1743139-1743140,1744151,1747537,1747925,1748002,1754614,1754643,1762124,1762183,1762203,1763792,1772948,1777014,1779719,1782037,1782240,1782386-1782387,1785669,1786845,1788249,1788324,1788905,1789216,1789335,1791528,1791558,1796697-1796698,1797521,1798543,1799162,1800143,1801693,1802805,1806799,1807079-1807080,1808880
 
/tomcat/trunk:1636524,1637156,1637176,1637188,1637331,1637684,1637695,1637890,1637892,1638720-1638725,1639653,1640010,1640083-1640084,1640088,1640275,1640322,1640347,1640361,1640365,1640403,1640410,1640652,1640655-1640658,1640688,1640700-1640883,1640903,1640976,1640978,1641000,1641026,1641038-1641039,1641051-1641052,1641058,1641064,1641300,1641369,1641374,1641380,1641486,1641634,1641656-1641692,1641704,1641707-1641718,1641720-1641722,1641735,1641981,1642233,1642280,1642554,1642564,1642595,1642606,1642668,1642679,1642697,1642699,1642766,1643002,1643045,1643054-1643055,1643066,1643121,1643128,1643206,1643209-1643210,1643216,1643249,1643270,1643283,1643309-1643310,1643323,1643365-1643366,1643370-1643371,1643465,1643474,1643536,1643570,1643634,1643649,1643651,1643654,1643675,1643731,1643733-1643734,1643761,1643766,1643814,1643937,1643963,1644017,1644169,1644201-1644203,1644321,1644323,1644516,1644523,1644529,1644535,1644730,1644768,1644784-1644785,1644790,1644793,1644815,1644884,1644886
 
,1644890,1644892,1644910,1644924,1644929-1644930,1644935,1644989,1645011,1645247,1645355,1645357-1645358,1645455,1645465,1645469,1645471,1645473,1645475,1645486-1645488,1645626,1645641,1645685,1645743,1645763,1645951-1645953,1645955,1645993,1646098-1646106,1646178,1646220,1646302,1646304,1646420,1646470-1646471,1646476,1646559,1646717-1646723,1646773,1647026,1647042,1647530,1647655,1648304,1648815,1648907,1649973,1650081,1650365,1651116,1651120,1651280,1651470,1652938,1652970,1653041,1653471,1653550,1653574,1653797,1653815-1653816,1653819,1653840,1653857,1653888,1653972,1654013,1654030,1654050,1654123,1654148,1654159,1654513,1654515,1654517,1654522,1654524,1654725,1654735,1654766,1654785,1654851-1654852,1654978,1655122-1655124,1655126-1655127,1655129-1655130,1655132-1655133,1655312,1655351,1655438,1655441,1655454,168,1656087,1656299,1656319,1656331,1656345,1656350,1656590,1656648-1656650,1656657,1657041,1657054,1657374,1657492,1657510,1657565,1657580,1657584,1657586,1657589,1657
 
592,1657607,1657609,1657682,1657907,1658207,1658734,1658781,1658790,1658799,1658802,1658804,1658833,1658840,1658966,1659043,1659053,1659059,1659174,1659184,1659188-1659189,1659216,1659263,1659293,1659304,1659306-1659307,1659382,1659384,1659428,1659471,1659486,1659505,1659516,1659521,1659524,1659559,1659562,1659803,1659806,1659814,1659833,1659862,1659905,1659919,1659948,1659967,1659983-1659984,1660060,1660074,1660077,1660133,1660168,1660331-1660332,1660353,1660358,1660924,1661386,1661770,1661867,1661972,1661990,1662200,1662308-1662309,1662548,1662614,1662696,1662736,1662985,1662988-1662989,1663264,1663277,1663298,1663534,1663562,1663676,1663715,1663754,1663768,1663772,1663781,1663893,1663995,1664143,1664163,1664174,1664301,1664317,1664347,1664657,1664659,1664710,1664863-1664864,1664866,1665085,1665292,1665559,1665653,1665661,1665672,1665694,1665697,1665736,1665779,1665976-1665977,1665980-1665981,1665985-1665986,1665989,1665998,1666004,1666008,1666013,1666017,1666024,1666116,1666386-1
 

Re: [VOTE] Release Apache Tomcat 8.5.21

2017-09-19 Thread Violeta Georgieva
2017-09-14 0:02 GMT+03:00 Mark Thomas :
>
> The proposed Apache Tomcat 8.5.21 release is now available for voting.
>
> The major changes compared to the 8.5.20 release are:
>
> - Additional capabilities for the CGI Servlet. Based on patches provided
>   by jm009.
>
> - Added support for the OpenSSL SSL_CONF API. To support this the
>   minimum required Tomcat Native version is 1.2.14.
>
> Along with lots of other bug fixes and improvements.
>
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.21/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1153/
> The svn tag is:
> http://svn.apache.org/repos/asf/tomcat/tc8.5.x/tags/TOMCAT_8_5_21/
>
> The proposed 8.5.21 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 8.5.21


Regards,
Violeta